Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Passenger Name Records (PNR data) Australian Customs and Border Protection Service Audit Report

Final audit report
Information Privacy Principles audit
Section 27(1)(h) Privacy Act 1988

Audit undertaken: November 2011
Draft report issued: April 2012
Final report issued: July 2012

Part 1 — Introduction

Background

1.1 The Australian Customs and Border Protection Service (Customs and Border Protection) and the Office of the Australian Information Commissioner (the OAIC) have an Agreement in place which intends to ensure the provision of a regular audit program for Customs and Border Protection's use of Passenger Name Records (PNR data).

1.2 Under the terms of the Agreement, the OAIC conducts two audits per financial year of Customs and Border Protection's handling of PNR data under section 27(1)(h) of the Privacy Act 1988 (Cth) (the Act).

1.3 This is the first audit for the 2011-12 financial year. The audit's focus is on Customs and Border Protection's handling of PNR data during its post-arrival risk assessment process undertaken at the Brisbane and Gold Coast international airport arrivals terminals.

Back to Contents

Part 2 — Description of audit

Purpose

2.1 The purpose of the audit was to ascertain Customs and Border Protection's compliance with the Information Privacy Principles (IPPs) contained in section 14 of the Act, specifically in relation to its handling of PNR data.

Scope

2.2 The audit focused on assessing Customs and Border Protection's compliance with the IPPs in handling PNR data within their agency, in the post-arrival processing of passengers. The audit involved the inspection of the arrivals areas of two international airports (Brisbane and Gold Coast) in order to observe the handling of this data in both a major and a regional Australian airport respectively.

2.3 The audit involved a review of Customs and Border Protection's policies and procedures for the collection, storage, use and disclosure of PNR data during this process. Enquiries were also made regarding information technology matters and staff training procedures.

2.4 The scope of the audit did not include the collection of PNR data by the Passenger Analysis Unit (PAU) based in Canberra, the handling of PNR data in the development of PAU alerts or any post-arrival collection of passengers' personal information by Customs and Border Protection officers resulting from a PAU alert. However, the scope did include a consideration of the flow of personal information from Customs and Border Protection staff at the airports to the PAU when actions were taken as a result of a PAU alert.

Timing and location

2.5 The audit was conducted on 22 and 23 November 2011 at Brisbane International Airport, Queensland and on 24 November 2011 at Gold Coast International Airport, Queensland.

Description of Auditee

2.6 Customs and Border Protection is the primary border protection agency in Australia. It manages the security and integrity of Australia's borders. It works closely with other government and international agencies to detect and deter unlawful movement of goods and people across the border. Some of those other agencies are the Australian Federal Police (AFP), the Australian Quarantine and Inspection Service (AQIS), the Department of Immigration and Citizenship (DIAC) and the Attorney General's Department.

2.7 Customs and Border Protection employs more than 5,500 people nationally in Australia and overseas. Its National Office is in Canberra.

2.8 Customs and Border Protection runs three main programs: the Passenger and Trade Facilitation Program, the Border Enforcement Program and Corporate Operations Program.

2.9 Among other activities, it intercepts illegal drugs and firearms and targets high-risk aircraft, vessels, cargo, postal items and travellers. Customs and Border Protection also has a fleet of ocean-going patrol vessels and contracts two aerial surveillance providers for civil maritime surveillance and response.

Role of the Passenger Analysis Unit

2.10 One border protection activity undertaken by Customs and Border Protection's is its pre-arrival risk assessment of passengers travelling to or in transit through Australia.

2.11 Pre-arrival risk assessment aims to prevent terrorism and related crimes and other serious crimes that are transnational in nature, such as money laundering, drugs importation, weapons trafficking and people smuggling/trafficking.

2.12 The PAU in Customs and Border Protection conducts pre-arrival assessments of passengers using PNR data and other advance passenger information. The PAU also responds to requests for PNR data from other areas of Customs and Border Protection (internal requests) and from other agencies, such as the AFP (external requests). These internal and external requests for PNR data are referred to as ‘Requests For Information' or RFIs.

2.13 The PNR data is information about airline passengers that is held by airlines on their computer reservation system and departure control system. PNR data includes such information as:

  • PNR locator code
  • passenger name(s)
  • passport number
  • nationality
  • details of travel companions
  • frequent flyer information
  • ticketing information; date of reservation/issue of ticket; itinerary; alterations made to booking
  • contacts; payments/billing; travel agent details
  • special request/service information
  • number of bags; weight of bags
  • seat allocation.

2.14 Customs and Border Protection PAU officers receive scheduled transmissions of EU sourced PNR data beginning at 72 hours before the scheduled departure of relevant flights. The PAU receives PNR data from over 30 airlines. PAU officers use this information, together with a range of other information (for example immigration, intelligence and other law enforcement data), to screen passengers prior to arrival to Australia and assist in identifying those passengers that may pose a risk at the time of arrival.

2.15 After analysis of advance passenger information and PNR data, the PAU may create a passenger alert in Customs and Border Protection's Passenger Analysis Clearance & Evaluation System (PACE). PACE is an electronic system that supports Customs and Border Protection's outcomes of facilitating the legitimate movement of people and the goods they bring across the border, while intercepting prohibited and restricted imports and exports and identifying illegal movements.

2.16 All alerts originating in the PAU are referred to as ‘PAU alerts' and may be the result of analysis of one or more sources including PNR data. As such, there is no specific or separate ‘PNR alert' used by Customs and Border Protection. Where relevant, there may be PNR data in the narrative field of the PACE alert.

Post Arrival Risk assessments in Australian airports

2.17 Brisbane Airport currently has 17 Team Leaders who manage Custom and Border Protection officers, referred to as response team officers. Gold Coast Airport currently has four Team Leaders managing the response teams. At Australian international airports, response team officers are responsible for assisting travellers and also applying risk management techniques to identify and intercept travellers who may pose a threat to border integrity.

2.18 In each region, Airport Operation Officers, including Tactical Support Officers (TSOs), act as intermediaries between the PAU and response team officers in the exchange of PNR data.

2.19 An organisation chart for both the Brisbane Airport and Gold Coast Airport with respect to PNR data is located at Appendix B and C respectively.

Information obtained prior to the audit

2.20 The following documentation was provided prior to the commencement of the OAIC's audit of Customs and Border Protection's post-arrival processing of passengers in November 2011:

  • A current organisation chart for the relevant areas of Customs and Border Protection that handle PNR data in Brisbane and Gold Coast airports
  • An outline of personal information data flows within Customs and Border Protection as it relates to the handling of PNR data in Brisbane and Gold Coast airports
  • Summary information around any relevant computer systems documentation and/or specifications including systems security and any IT Security Policy in relation to the PNR Data:
    • Practice Statement 2010/07 - Information and Communications Technology (ICT) Security Practice Statement
    • Practice Statement 2009/08 - National Intelligence System - NIS Access and Use (18/02/09)
    • Instruction and Guideline National Intelligence System (NIS) - Access Arrangements
    • Practice Statement 2009/09 - National Intelligence System - NIS Governance and Control (18/02/09
  • Copies of staff instructions or memorandums addressing the Privacy Act and/or information security at Brisbane and Gold Coast airports:
    • Airport Notification - 2009-10 PAU Alert Notification to Airport Operations Control Rooms
    • Airport Notification 2009-20 - Information Security and Information Privacy Requirements
  • Details of any Brisbane and Gold Coast airport staff training concerning the Privacy Act and the handling of PNR Data in Customs and Border Protection, including a copy of any training material presented to participants
  • Documentation of any practices, procedures or guidelines that specifically relate to the handling of European Union PNR data
  • Gold Coast airport also provided a list of its flight schedule for Thursday 24 November, to assist in the planning of specific times for the audit fieldwork.

Opinion

2.21 The audit revealed that Customs and Border Protection generally handles PNR data within the airport environment in accordance with the IPPs in the Act. Consequently, the opinion of the audit team was that Customs and Border Protection was compliant in meeting its obligations under the Act.

2.22 The audit team found no breaches of the IPPs and makes no recommendations regarding Custom and Border Protection's information handling practices in meeting its obligations under the Act.

2.23 The auditors did identify two areas where a suggestion for better privacy practice may be considered by Customs and Border Protection. These suggestions do not necessarily arise out of actual risks to personal information but are suggested as best practice privacy control to promote compliance with the Act.

2.24 The best privacy practice suggestions arising from this audit are outlined in Section 4 of this report.

Follow up review

2.25 It is the intention of the OAIC to undertake on-going audits of Customs and Border Protection in accordance with the Agreement between Customs and Border Protection and the OAIC.

Reporting

2.26 Completed audit reports of ACT and Australian government agencies are generally published on the Office of the Australian Information Commissioner's website, http://www.oaic.gov.au/

Back to Contents

Part 3 — Audit issues

The Information Privacy Principles (IPPs) are produced in full at Appendix A.

IPP 1-3 issues — Collection of personal information

IPP 1 provides that personal information shall not be collected unless the collection is for a lawful purpose directly related to the collector's functions and activities and necessary or directly related to that purpose.

IPP 2 provides that, where a collector solicits and collects personal information directly from an individual, it must take reasonable steps to inform the individual of the purpose of collection, any legal authorisation or requirement for the collection, and any person, body or agency to which it usually discloses that information.

IPP 3 provides that, where a collector solicits and collects personal information generally it must take reasonable steps to ensure that, having regard to the purpose for which the information is collected, the information is relevant to that purpose, up to date and complete, and that the collection does not intrude to an unreasonable extent on the individuals' personal affairs.

Observations

3.1 The auditors observed that Customs and Border Protection officers at both Brisbane and Gold Coast Airports are not involved in the collection of PNR data from the relevant airlines.

3.2 From prior audits, the auditors were aware that the collection of PNR data occurs at the PAU in Canberra, and as such, Customs and Border Protection officers based at Brisbane and Gold Coast airports are not involved in this process. Rather, the officers at those airports use PNR data contained (where relevant) in a PACE Alert.

3.3 However, where an alert involving PNR data has been sent to an airport for action, the Customs and Border Protection officers involved in responding to that alert do collect personal information as part of their ordinary processing of passengers (i.e. during the intervention phase). This includes making notes of conversations with passengers about their reasons for travel and information collected during any baggage search, seizure of goods, interviews and detention and referrals to other law enforcement officials.

3.4 The auditors observed the post-arrival processing of passengers, from the processing of passports and visas through to the baggage search process before passengers exit to the external arrivals hall. At the Brisbane and Gold Coast airports, the auditors observed a number of passengers being interviewed by Customs and Border Protection officers.

3.5 The handling of this additional personal information, from non-PNR sources, is not within the scope of this audit.

Privacy issues

3.6 As PNR data is not collected at Brisbane and Gold Coast airports, there are no collection issues within the scope of this audit.

IPP 4 issues — Storage and security of personal information

IPP 4(a) requires a record keeper who has possession or control of a record that contains personal information to ensure that the record is protected by security safeguards reasonable in the circumstances against loss, unauthorised access, use, modification, disclosure and other misuse.

IPP 4(b) requires that, if it is necessary for the record to be given to a person in connection with the provision of a service to the record keeper, everything reasonably within the record keeper's power be done to prevent unauthorised use or disclosure of information contained in the record.

Observations

Physical security

3.7 When a PAU alert is created in relation to a passenger due to arrive at a particular airport, a PAU officer will send a single page fax to the relevant airport operations Control Room (the Control Room). This faxed document does not contain any personal information. It contains a PACE alert number which the airport operations staff then enter into PACE to retrieve the alert details.

3.8 At Brisbane airport, the auditors were advised that Customs and Border Protection receives an average of 5-6 alerts per day. The auditors observed that all alert faxes are physically secured within the Airport Operations Control Room. The Control Room can only be accessed through the Operations Office.

3.9 PAU alerts can only be received through the two computers in the Control Room as these are the only computers that have the correct feed configured to feed the PACE system.

3.10 The Operations Office is a secure work area that may only be accessed using a swipe card issued by Customs and Border Protection. Only Customs and Border Protection staff who work at Brisbane airport have swipe card access. Visitors to the Operations Office can only gain access if accompanied by authorised Customs and Border Protection officers.

3.11 All Customs and Border protection officers have baseline security cleared to the Protected level. There is no requirement for an upgraded clearance for Control Room staff.

3.12 All computers in the secure work area are password protected (a combination of capitals, numbers and symbols are needed for all passwords). All the computers are linked via the Customs and Border Protection LAN.

3.13 Entry to the Control Room is controlled by a ‘key cabinet'. The key cabinet is fixed to a wall in the anteroom, a room that links the Operations Office to the Control Room.

3.14 Each staff member has their own personal login number and pin number to the key cabinet and the key cabinet will only allow the staff member to access the key for which they have clearance.

3.15 When authorised, officers will use a key from the cabinet to access the Control Room. If the Customs and Border Protection officer does not use the key in the relevant time frame, an alarm will be triggered.

3.16 CCTV surveillance cameras operate in both the anteroom and the Control Room 24 hours per day.

3.17 Entry to the Control Room is restricted to those Customs and Border Protection officers who work in the Control Room. Other Customs and Border Protection Airport Operations officers who do not have authorisation to enter the Control Room can interact with Control Room staff via a counter and window in the anteroom. Entry to the anteroom is restricted to Customs and Border Protection staff holding a valid swipe card.

3.18 Any staff member or visitor (such as the auditors) attending the Control Room who do not have their own personal login number and pin number to the key cabinet must be accompanied by an authorised officer and must sign in at the Control Room.

3.19 The Tactical Support Unit, also referred to as ‘Intell', is also located in a secure work area that is accessed through swipe card only. Customs and Border Protection officers at Brisbane Airport have access to the Tactical Support Unit; this access is not as tightly restricted as the Control Room.

3.20 Customs and Border Protection advised that officers can only work within the Tactical Support Unit if they have Secret clearance, rather than just Protected clearance. Also, no officer would have access to the IT systems without Secret clearance.

3.21 At the Gold Coast airport, entry to the Control Room is also through an anteroom connected to a secure work area. Only authorised Customs and Border Protection officers have access to the control room.

Storage-Brisbane Airport

3.22 Hard-copy information is physically stored within Class 4 security safes, in accordance with the requirements for the storage of protected information. Auditors observed these safes in the Brisbane Control Room and the Brisbane Tactical Support Unit.

3.23 When the PAU alert unit faxes a PNR request through to the Brisbane Control Room, the Custom and Border Protection Control Room officer will access the PACE system to bring up the alert details.

3.24 A Control Room officer will then print off three copies. One copy is put on the clipboard in the Control Room, one copy is for the response team and one copy is for the Tactical Support Unit.

3.25 The copy on the clipboard is shredded once the alert is completed. However, if the subject of the alert is targeted for further action such as investigation, the copy will be retained on a protected file in the Control room safe.

3.26 On a normal shift, an officer from the Tactical Support Unit will physically come to the anteroom and sign for the Intell alert copy.

3.27 The Tactical Support Unit officer will shred the alert copy at the end of their shift.

3.28 The alert copy for the response team is placed in a register and is available to the response team for collection through the anteroom. The auditors interviewed a Customs and Border Protection response team and were informed that the team leader on duty will physically attend the anteroom to check the register for alerts.

3.29 If there is an alert in the register, the team leader will sign the register and take the alert copy. Only the team leader on duty will sign this alert copy out of the register, accessed through the anteroom.

3.30 The alert copy will then be allocated by the team leader to a member of their response team and the team leader will physically hand the copy to the response team officer.

3.31 The response team officer will read the alert copy immediately upon receiving it and keep the copy on their person, generally in their pocket, for the remainder of their shift. In this way, the response team officer can refer to the alert during their shift, including when they are in the baggage area or behind the primary line.

3.32 At the end of the response team officer's shift the alert copy is shredded even when the alert triggers further enforcement action.

Storage-Gold Coast Airport

3.33 The Gold Coast Airport receives only a small number of PAU alerts. The auditors were advised that in some weeks they do not receive any PAU alerts.

3.34 At the Gold Coast Airport, when the PAU faxes through an alert to the Control Room, the Control Room officer will access the PACE system and print out an alert copy which sits on a specific area of the Control Room bench. The Control Room officer will then notify a response team leader once the alert has been received.

3.35 The response team officer and member of the response team will read the alert copy at the Control Room. Unlike at the Brisbane Airport, Custom and Border Protection officers at Gold Coast Airport do not keep the alert copy on their person. The alert copy never leaves the Control Room.

3.36 Once the relevant officers have read the alert copy, the copy is shredded.

Security policies and practices

3.37 Access to PNR data is limited to authorised officers. Access is approved by the Chief Executive Officer. Approvals are authorised pursuant to section 64AF of the Customs Act, and must be obtained and maintained within the PAU.

IT Security

3.38 The auditors are aware from previous Customs and Border Protection audits that a username and password is required to gain access to computers and that a layered level of logins is required to access the IT systems.

3.39 The auditors were advised that temporary PACE alerts originating from the PAU become inactive on the PACE system after 72 hours. However, once they become deactivated they remain on the system for 90 days after which these temporary PACE alerts are purged from the system.

Requests for Information at the Airports

3.40 At Brisbane Airport, the response team leader will decide whether to make a request for passenger information from the PAU. Once a request for information is made, the team leader will contact the Tactical Support Unit who in turn will contact the PAU in Canberra.

3.41 The Tactical Support Unit generally contacts the PAU by telephone if the matter is time sensitive. This is followed up by an email.

3.42 At Brisbane Airport, Customs and Border Protection use a central Intell email address mailbox that is specific to the Brisbane Port (‘Intell Air' mailbox). The auditors were advised that Level 3 position officers at Intell would have ownership of the ‘Intell Air' mailbox. The auditors were advised that the Tactical Support Unit would use the ‘Intell Air' mailbox to send the request for information to the PAU. The auditors were advised that the response from the PAU should come back to the ‘Intell Air' mailbox.

3.43 The auditors were advised, however, that there have been occasions when a Tactical Support officer has sent a Request for Information to PAU from their own mailbox within the Customs and Border Protection system.

3.44 The auditors sought clarification on the processes for requests of information and were informed that the response from the PAU will go to the mailbox from which the request for information came. That is, if the request for information is made through the ‘Intell Air' mailbox that is where the response will go, while if the request for information comes from an officer's individual mailbox, that is where the response will be sent.

3.45 The auditors were advised of a request for information sent on the day of the audit from a Tactical Support officer's individual mailbox and were advised that the response from PAU came back to that mailbox.

3.46 The auditors were advised that Tactical Support Officers rarely made specific requests for PNR data.

3.47 There is no Intell office at the Gold Coast Airport. The Gold Coast Airport differs from Brisbane in that the Tactical Support Unit role is done through the response team leaders.

3.48 The team leader at Gold Coast Airport will make a request for information from the PAU in Canberra. There is no central ‘Intell Air' mailbox equivalent at Gold Coast Airport.

Privacy issues

3.49 The auditors were informed that there was currently no shredder in the Brisbane Control Room so shredding had to take place in the concurrent Secure Work Area. The auditors were advised that a new shredder had been ordered for the Control Room.

3.50 The auditors noted that once the temporary PACE alerts are deactivated, they nevertheless remain on the system for 90 days. As the narrative contained in the PACE alerts may contain PNR data, the practical effect is that PNR data could remain on the system for 90 days when it was no longer needed. Nonetheless, this is within the limits allowed under the agreement between the European Union and Australia.

3.51 The auditors note there is a discrepancy between Brisbane Airport and Gold Coast Airport in the storage of hard copy PACE alerts. That is, at Brisbane Airport the response team officer will carry an alert copy on their person while at Gold Coast a hard copy alert does not leave the control room. The auditors acknowledge this can largely be attributable to the difference in traveller volume and infrastructure between the two airports.

3.52 The practice of staff at Brisbane airport of carrying an alert containing PNR information outside the anteroom of the Control Room and into the Primary and Secondary examination areas carries a risk that the information may be lost in the process.

3.53 The auditors note that, however slight, there is a risk that once the printed PAU alert copy has left the Control Room, there is a greater chance of an inadvertent and/or unauthorised disclosure of PNR data. The auditors acknowledge that this risk is balanced against the need for response team officers to handle information that would allow them to accurately identify a target from a large group of travellers.

3.54 The auditors noted that on some occasions requests were made through the ‘Intell Air' mailbox and at other times through the officer's individual mailbox. The auditors would like Customs and Border Protection to clarify to all staff the correct procedures for making information requests.

3.55 If PNR information is contained in an individual's mailbox, there is a possibility that this information can be forwarded, inadvertently or otherwise, to other parties.

Best Privacy Practice Suggestions

3.56 The OAIC suggests that Customs and Border Protection review the current practice of having PACE alerts kept in the PACE system for 90 days once the alerts are deactivated.

3.57 The OAIC suggests that Customs and Border Protection develop and implement a uniform email exchange process between the Tactical Support Unit and the PAU.

IPP 5 issues — Information relating to records kept by record-keeper

IPP 5.1 requires that, where a record keeper has possession or control of records containing personal information, the record keeper will take reasonable steps in the circumstances to enable any person to ascertain the nature of the information held, the main purposes for which the information is used, and the steps a person should take to obtain access to the record.

IPP 5.3 and 5.4 also requires that, where a record keeper has possession or control of records containing personal information, the record keeper will maintain and make available to the public and the Privacy Commissioner a listing of the personal information it holds. The listing will include the nature and purposes of keeping the record, the classes of individuals about whom records are kept, retention periods and access conditions to the records, and steps that should be taken by persons wishing to access the record. This listing is known as Customs and Border Protection's Personal Information Digest (PID).

Observations

3.58 The auditors noted that Customs and Border Protection's PID is available on the OAIC's website at: http://www.privacy.gov.au/materials/types/pids?sortby=62.

3.59 The auditors noted that section 26 in Customs and Border Protection's 2011 PID states that it holds passenger records for the purpose of profiling and targeting persons and/or aircraft that may prevent a threat to the integrity of Australia's borders. The PID records who in Customs and Border Protection has access to this information and to whom it may be disclosed.

Privacy issues

3.60 There were no specific issues identified in the audit in relation to Customs and Border Protection's record keeping.

IPP 6 Issues — Access to records containing personal information

IPP 6 provides that, where a record keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record except where one or more of certain exceptions under Commonwealth law apply.

Observations

3.61 The auditors noted that Customs and Border Protection's PID provides contact details for individuals wishing to obtain access to passenger records. This includes a telephone number for Customs and Border Protection's Privacy Contact Officer and Freedom of Information (FOI) Coordinator.

3.62 Customs and Border Protection is subject to the Freedom of Information Act 1982 (Cth) (the FOI Act) which requires Customs and Border Protection to release documents to any person who requests them, subject to the exceptions and exemptions in the FOI Act.

3.63 The auditors were aware from previous audits that a separate area of Customs and Border Protection (Passenger Policy) responds to FOI requests which may involve a request for PNR data.

3.64 Customs and Border Protection does not advise passengers that they are the subject of an alert for security and operational reasons. As such, Customs and Border Protection does not routinely receive requests for access to PNR data specifically, however requests may be made for other documents which might incidentally contain PNR data.

3.65 These FOI and other information requests are processed elsewhere, and do not directly involve Airport Operations staff.

Privacy issues

3.66 There were no specific issues identified in the audit in relation to access.

IPP 7 issues — Alteration of records containing personal information

IPP 7 requires a record keeper who has possession or control of a record that contains personal information to take such steps that are reasonable in the circumstances to ensure the record is accurate, and, having regard for the purpose for which the information was collected, relevant, up to date, complete and not misleading.

Where, despite an individual's request, the record keeper is not willing to correct, delete or amend personal information in the record and no decision or recommendation under an applicable Commonwealth law applies, the record keeper shall, following an individual's request, take reasonable steps to attach to the record any statement provided by that individual of the correction, deletion or addition sought.

Observations

3.67 The auditors are aware from previous audits that Airport Operations staff do not have access to PNR data or the PNR database and are therefore unable to alter an individual's record. This is processed by Customs and Border Protection's Privacy Contact Officer and Freedom of Information (FOI) Coordinator.

Privacy issues

3.68 There were no specific issues identified in the audit in relation to the alteration of PNR information.

IPP 8 Issues — Record-keeper to check accuracy etc of personal information before use

IPP 8 provides that a record keeper who has possession or control of a record that contains personal information shall not use that information without taking steps that are reasonable in the circumstances to ensure that, having regard for the purpose for which the information is proposed to be used, the information is accurate, up to date, and complete.

Observations

3.69 Airport Operations staff do not have direct access to PNR information.

3.70 However, auditors were informed that Airport Operations staff confirm the accuracy of the information provided by the PAU through conducting interviews with persons of interest.

Privacy Issues

3.71 There were no specific issues identified in the audit in relation to the accuracy of PNR data before use.

IPP 9 — Personal information used only for relevant purposes

IPP 9 provides that a record keeper who has possession or control of a record that contains personal information shall not use that information except for a relevant purpose.

Observations

3.72 Customs and Border Protection holds passenger records, including PNR information, for the purpose of identifying and targeting persons and/or aircraft that may prevent a threat to the integrity of Australia's borders.

3.73 Airport Operations use PNR information for the purpose of targeting persons who may be a threat to the integrity of Australia's borders.

Privacy issues

3.74 There were no specific issues identified in the audit in relation to Customs and Border Protection using PNR information only for relevant purposes.

IPPs 10-11 Issues — Limits on use and disclosure of personal information

IPP 10.1 provides that a record keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless one or more of certain exceptions apply.

IPP 10.2 provides that, where personal information is used under IPP 10.1(d) the record keeper shall include in the record containing that information a note of the use.

IPP 11 provides that a record keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless one or more of certain exceptions apply.

IPP 11.2 provides that, where personal information is disclosed under IPP 11.1(e) the record keeper shall include in the record containing that information a note of the disclosure.

IPP 11.3 provides that a where personal information is disclosed under IPP 11 the person, body or agency is not shall not use or disclose the information for a purpose other than the purpose for which the information was given to the person, body or agency.

Observations

3.75 Customs and Border Protection primarily uses PNR data for the purpose of undertaking risk assessment and clearance of all passengers arriving into and departing from Australia. These functions extend to the prevention of terrorism and related crimes as well as other serious crimes including those that are transnational in nature.

3.76 Airport Operation's use of PNR data is minimal, given the limited amount of PNR data involved in the process of clearing passengers arriving into and departing from Australia.

3.77 The auditors observed Customs and Border Protection officers actioning alerts created by the PAU.

3.78 Typically, a PAU alert containing an alert notification report reference number is sent to Airport Operations rooms at the Brisbane and Gold Coast airports on a single page fax containing no personal information or PNR data - its purpose is solely to advise the Control Room that an alert has been created and to provide the alert notification report reference number. This number is then used to access (through PACE) the relevant information and/or PNR data on the individual.

3.79 If further information relating to PNR data is required by Airport Operations staff, they will request the Tactical Support Unit to contact the PAU to obtain the specified information, if available.

3.80 At the start of each shift, the Tactical Support Officers access the PACE system and print out alert reports corresponding to any faxes received from the PAU.

3.81 Alerts are communicated to team leaders and then to the Airport officers, and where required, passengers who are the subject of alerts (which might originate from PAU or other sources) are risk assessed and may have their baggage searched and/or be interviewed.

3.82 Passengers are not informed that they are the subject of an alert.

3.83 The results of any search and interview are then recorded by officers in the National Intelligence System (NIS), and in the case of PNR-originated alerts, a feedback form is completed and emailed back to PAU using Customs and Border Protection's internal, security-classified email system.

3.84 All information obtained by officers from the PAU alerts is used for the primary purpose of its collection - that of targeting persons who may be a threat to the integrity of Australia's borders. Any PNR information in these alerts is not directly used for other secondary purposes. The auditors were advised that where an individual who was identified through an alert is subject to further legal action, the primary evidence for that action will been obtained through the intervention of Customs and Border Protection officers. For example, evidence would be obtained through a luggage search or interview. The PAU alert itself (and the PAU) is not generally required to form primary evidence against an individual charged with an offence.

Privacy Issues

3.85 During the process observed by the auditors there was no disclosure of the information sourced from the alerts. All of the information remained within Customs and Border Protection.

3.86 There were no specific issues identified in the audit in relation to use and disclosure.

Other Privacy Issues

Training

3.87 The auditors were informed that all staff are required to complete annual online training in Administrative Law and receive performance assessment feedback.

3.88 The training module includes learning on the Privacy Act and the FOI Act.

3.89 Customs and Border Protection also has online internal documents relating to policies and procedures on the handling of personal information and staff obligations in relation to the Act.

Privacy Issues

3.90 There were no specific issues identified in the audit in relation to Customs and Border Protection's training of staff.

Back to Contents

Part 4 — Summary of Recommendations and Best Privacy Practice Suggestions

4.1 The audit team found no breaches of the IPPs and makes no recommendations regarding Custom and Border Protection's information handling practices in meeting its obligations under the Act.

4.2 The OAIC suggests that Customs and Border Protection review the current practice of having PACE alerts kept in the PACE system for 90 days once the alerts are deactivated.

Auditee response

The auditee accepted this suggestion and did not provide any further comments.

4.3 The OAIC suggests that Customs and Border Protection develop and implement a uniform email exchange process between the Tactical Support Unit and the PAU.

Auditee response

The auditee accepted this suggestion and did not provide any further comments.

Back to Contents

Appendix A — Information Privacy Principles

Principle 1 — Manner and purpose of collection of personal information

  1. Personal information shall not be collected by a collector for inclusion in a record or in a generally available publication unless:
    1. the information is collected for a purpose that is a lawful purpose directly related to a function or activity of the collector; and
    2. the collection of the information is necessary for or directly related to that purpose.
  2. Personal information shall not be collected by a collector by unlawful or unfair means.

Principle 2 — Solicitation of personal information from individual concerned

Where:

  1. a collector collects personal information for inclusion in a record or in a generally available publication; and
  2. the information is solicited by the collector from the individual concerned:

the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, before the information is collected or, if that is not practicable, as soon as practicable after the information is collected, the individual concerned is generally aware of:

  1. the purpose for which the information is being collected
  2. if the collection of the information is authorised or required by or under law — the fact that the collection of the information is so authorised or required; and
  3. any person to whom, or any body or agency to which, it is the collector's usual practice to disclose personal information of the kind so collected, and (if known by the collector) any person to whom, or any body or agency to which, it is the usual practice of that first mentioned person, body or agency to pass on that information.

Principle 3 — Solicitation of personal information generally

Where:

  1. a collector collects personal information for inclusion in a record or in a generally available publication; and
  2. the information is solicited by the collector:

the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is collected:

  1. the information collected is relevant to that purpose and is up to date and complete; and
  2. the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.

Principle 4 — Storage and security of personal information

A record-keeper who has possession or control of a record that contains personal information shall ensure:

  1. that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and
  2. that if it is necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonably within the power of the record-keeper is done to prevent unauthorised use or disclosure of information contained in the record.

Principle 5 — Information relating to records kept by record-keeper

  1. A record-keeper who has possession or control of records that contain personal information shall, subject to clause 2 of this Principle, take such steps as are, in the circumstances, reasonable to enable any person to ascertain:
    1. whether the record-keeper has possession or control of any records that contain personal information; and
    2. if the record-keeper has possession or control of a record that contains such information:
      1. the nature of that information
      2. the main purposes for which that information is used; and
      3. the steps that the person should take if the person wishes to obtain access to the record.
  2. A record-keeper is not required under clause 1 of this Principle to give a person information if the record-keeper is required or authorised to refuse to give that information to the person under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.
  3. A record-keeper shall maintain a record setting out:
    1. the nature of the records of personal information kept by or on behalf of the record-keeper
    2. the purpose for which each type of record is kept
    3. the classes of individuals about whom records are kept
    4. the period for which each type of record is kept
    5. the persons who are entitled to have access to personal information contained in the records and the conditions under which they are entitled to have that access; and
    6. the steps that should be taken by persons wishing to obtain access to that information.
  4. A record-keeper shall:
    1. make the record maintained under clause 3 of this Principle available for inspection by members of the public; and
    2. give the Commissioner, in the month of June in each year, a copy of the record so maintained.

Principle 6 — Access to records containing personal information

Where a record-keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record-keeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

Principle 7 — Alteration of records containing personal information

  1. A record-keeper who has possession or control of a record that contains personal information shall take such steps (if any), by way of making appropriate corrections, deletions and additions as are, in the circumstances, reasonable to ensure that the record:
    1. is accurate; and
    2. is, having regard to the purpose for which the information was collected or is to be used and to any purpose that is directly related to that purpose, relevant, up to date, complete and not misleading.
  2. The obligation imposed on a record-keeper by clause 1 is subject to any applicable limitation in a law of the Commonwealth that provides a right to require the correction or amendment of documents.
  3. Where:
    1. the record-keeper of a record containing personal information is not willing to amend that record, by making a correction, deletion or addition, in accordance with a request by the individual concerned; and
    2. no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth;

    the record-keeper shall, if so requested by the individual concerned, take such steps (if any) as are reasonable in the circumstances to attach to the record any statement provided by that individual of the correction, deletion or addition sought.

Principle 8 — Record-keeper to check accuracy etc of personal information before use

A record-keeper who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date and complete.

Principle 9 — Personal information to be used only for relevant purposes

A record-keeper who has possession or control of a record that contains personal information shall not use the information except for a purpose to which the information is relevant.

Principle 10 — Limits on use of personal information

  1. A record-keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless:
    1. the individual concerned has consented to use of the information for that other purpose
    2. the record-keeper believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person
    3. use of the information for that other purpose is required or authorised by or under law
    4. use of the information for that other purpose is reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue; or
    5. the purpose for which the information is used is directly related to the purpose for which the information was obtained.
  2. Where personal information is used for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue, the record-keeper shall include in the record containing that information a note of that use.

Principle 11 — Limits on disclosure of personal information

  1. A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless:
    1. the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency
    2. the individual concerned has consented to the disclosure
    3. the record-keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person
    4. the disclosure is required or authorised by or under law; or
    5. the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.
  2. Where personal information is disclosed for the purposes of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the purpose of the protection of the public revenue, the record-keeper shall include in the record containing that information a note of the disclosure.
  3. A person, body or agency to whom personal information is disclosed under clause 1 of this Principle shall not use or disclose the information for a purpose other than the purpose for which the information was given to the person, body or agency.

Back to Contents

Appendix B — Airport Operations Brisbane (Reference to PNR Data)

Organisational chart. Long text description follows image.

Long text description

This organisational chart shows 6 levels of roles within Airport Operations Brisbane. The roles are linked with solid lines unless otherwise specified.

  • National Manager, Airport Operations North
    • Director, Airport Operations Brisbane
      • Manager, Operations
        • Duty Managers (including Operational Planner role) (x 9)
          • Team Leaders (x 17)
            • Customs Officers
      • Manager, Assessment & Response
        • [This level is skipped in the flowchart — the role below links directly to the role above ]
          • Air Border Security Team Leaders (x5)
            • Air Border Security Officers
        • Strategic Airport Planner [This is linked to the roles below via a dotted line]
          • Tactical Support Officers (x 3)
          • Target Development Passengers

Back to Contents

Appendix C — Airport Operations Gold Coast (Reference to PNR Data)

Organisational chart. Long text description follows image.

Long text description

This image shows the Australian Government: Australian Customs and Border Protection Service crest. It is entitled "Airport Operations Gold Coast" and shows a photo of Gold Coast airport and an organisational chart. The organisational chart shows 6 levels of roles within Airport Operations Gold Coast. The roles are linked with solid lines unless otherwise specified.

  • National Manager, Airport Operations North
    • Manager, Airport Operations Gold Coast
      • Supervisor, Planning and Support
        • Team Leader
          • 1 x Fulltime Level 1
            • 6 x MIPT
        • Team Leader
          • 1 x Fulltime Level 1
            • 6 x MIPT
        • Team Leader
          • 1 x Fulltime Level 1
            • 6 x MIPT
        • Team Leader
          • 1 x Fulltime Level 1
            • 6 x MIPT
      • Supervisor, Airport Operations
        • Team Leader
          • 1 x Fulltime Level 1
            • 6 x MIPT
        • Team Leader
          • 1 x Fulltime Level 1
            • 6 x MIPT
        • Team Leader
          • 1 x Fulltime Level 1
            • 6 x MIPT
        • Team Leader
          • 1 x Fulltime Level 1
            • 6 x MIPT

Note 1: The Supervisor, Planning and Support and Supervisor, Airport Operations roles are linked with a faint line. This links to a child role, 2 x Level 1 OSG, on the 5th level of the flowchart hierarchy, via a faint line.

Note 2: There is an additional role, 8 x CFE, on the 6th level of the flowchart hierarchy. It is linked via a solid line to the 4th Team Leader role.

Back to Contents